b"Smithsonian Institution\nOffice of the Inspector General\n\n\n\nApril 27, 2012\n\nVia Electronic Transmission\n\nHonorable Darrell Issa\nUnited States House of Representatives\nCommittee on Oversight and Government Reform\n2157 Rayburn House Office Building\nWashington, DC 20515-6143\n\nDear Chairman Issa:\n\nWe received your letter, dated April 4, 2012, in which you requested information about\nour open and unimplemented recommendations. The following is our response to your\nInqUIry.\n\n1. Identify the current number of open and unimplemented IG recommendations.\n\nWe have 60 open and unimplemented recommendations, of which 8 are past-due and 52\nhave implementation dates that have not yet passed.\n\n2. For those recommendations that have an estimated cost savings associated with them,\nidentify each recommendation, the date it was first recommended, and the total estimated cost\nsavings your office believes would be possible if agency management implemented the\nrecom mendation.\n\nWe do not have any open recommendations that have quantifiable cost savings.\nHowever, we are tracking cost savings associated with a closed recommendation from the\nAdministration of the Workers Compensation Program audit. The potential cost saving\nof that recommendation is approximately $4.2 million.\n\n3. Of the open and unimplemented recommendations identified, which does your office\nconsider to be the three most important? For each identify:\n\n         a. The status of the recommendation, including whether agency management has\n         agreed or disagreed with the recommendation;\n         b. The cost savings associated with the recommendation (if applicable); and,\n         c. Whether there are plans to implement the recommendation in 2012.\n\nWe believe that three areas we have audited are of particular concern: security of\ninformation systems; privacy; and stewardship of museum collections. The Smithsonian\nhas agreed with our recommendations in these areas. Accordingly, we consider the\nfollowing sets of open and unimplemented recommendations to be the most important.\n\n\n\n\nMRC 524\nPO Box 37012\nWashington DC 20013-7012\n202.633.7050 Telephone\n202.633.7079 Fax\n\x0cThe Honorable Darrell Issa\nApril 27, 2012\nPage 2\n\nSecurity of Information Systems\n\nWe have issued a series of recommendations to improve the security and integrity of the\nInstitution's information systems. The following are some of the more important open\nrecommendations:\n\n    \xe2\x80\xa2 \t Based on the type of personally identifiable information (PII) stored in the \n\n        system, re-assess the security categorization for major systems currently \n\n        categorized as low-impact systems; \n\n    \xe2\x80\xa2 \t Ensure that all systems are addressed in system security plans in accordance with\n        OMB and NIST guidelines;\n    \xe2\x80\xa2 \t Establish procedures to ensure existing policies requiring the use of standard\n        configuration baselines are implemented and enforced; and\n    \xe2\x80\xa2 \t Implement controls to ensure that all Smithsonian-owned laptops/mobile devices\n        that may be used to store sensitive information are secured with an appropriate\n        encryption technology.\n\nThe Smithsonian has agreed to implement these recommendations in this calendar year.\n\nPrivacy\n\nWe have issued a series ofrecommendations to strengthen the Institution's privacy\nprogram. In 2010, the Smithsonian hired a Privacy Officer who is in the process of\nbuilding a privacy program. We recently met with the Privacy Officer and the Under\nSecretary for Finance and Administration (USF&A) to discuss the ten outstanding\nprivacy recommendations. These recommendations include:\n\n     \xe2\x80\xa2 \t Reducing the PII holdings to the extent practicable;\n     \xe2\x80\xa2 \t Developing and implementing privacy policies and procedures to support an\n         overall privacy program that address privacy-related risks, that safeguards\n         documents with PIl, and that identifies and documents PII used by the\n         Smithsonian;\n     \xe2\x80\xa2 \t Enforcing compliance with new and existing privacy policies related to the\n         protection of sensitive documents containing PIl; and\n     \xe2\x80\xa2 \t Developing and implementing procedures for conducting privacy impact\n         assessments.\n\nWe will continue to work with the Privacy Officer and the USF&A to prioritize these\nrecommendations, determine if any of them are no longer relevant, and discuss a plan of\naction to close these recommendations.\n\nStewardship of Museum Collections\n\nWe have issued a series of recommendations to improve the stewardship of the\ncollections at several Smithsonian museums. The recommendations pertain to collection\npractices such as accurate inventories, appropriate preservation programs, and adequate\nsecurity. This year, we expect the Smithsonian to develop and refine catalog standards for\ncompleting object records, as well as to convert manual records to electronic formats. In\naddition, we anticipate management will develop a prioritized plan for addressing a pan\xc2\xad\n\x0cTile Honorable Darrell Issa\nApril 27, 2012\nPage 3\n\nInstitutional collections storage needs. However, as we mentioned last year, improving\nthe collections management practices will require a long-term commitment on the part of\nthe museums.\n\n4. Identify the number of recommendations your office deems accepted and implemented by\nthe agency during the time period from April 7, 2011, to the present.\n\nFrom April 7, 2011 to the present, we have closed 30 recommendations after they were\naccepted and implemented by the Smithsonian.\n\nPlease do not hesitate to call me on 202.633.7050 if you have any questions or if you\nwould like to discuss our work.\n\n\nSincerely,\n\n\n   A-9~\nScott S. Dahl\nInspector General\n\ncc:      The Honorable Elijah E. Cummings, Ranking Member\n\x0c"